This month's challenge is to analyze a home-made malware binary, in an effort to
reinforce the value of reverse engineering malware, and improve (by learning from
the security community) the methods, tools and procedures used to do it. Submissions
are due no later than 23:00 CET, Friday, 1 October, 2004, and the results will be
released a month later, Friday, 29 October. Review the challenge submission rules
at the SOTM homepage before submitting your results.

Skill Level: Intermediate

The Challenge:
All we are going to tell you about the binary is that it was created to increase
the security awareness around malware specimens and to point out the need of
additional defensive countermeasures in order to fight current malware threats. It will be
presented during the SANS Security conference the 3rd of October, 2004. It is now your
goal as an incident handler - should you choose to accept it - to analyze
this binary in depth and get as much information as possible about how it works, its purpose
and capabilities, and most important, to show all the malware analysis techniques you follow
to obtain every piece of information included in your submission. Be as detailed as possible
so others could reproduce your analysis steps. You can use the previous Honeynet
Reverse Challenge results as a background reference to aid
in your analysis. There is a prize for the Top Three submissions, an author-signed copy
of the Ed Skoudis' book
Malware: Fighting Malicious Code.

*WARNING*
The binary is a piece of malicious code, therefore precautions must be taken to ensure
production systems are not infected. It is recommended to deal with this unknown specimen
on a closed and controlled system/network.

Identify and provide an overview of the binary, including the fundamental pieces of
information that would help in identifying the same specimen.

Identify and explain the purpose of the binary.

Identify and explain the different features of the binary. What are its capabilities?

Identify and explain the binary communication methods. Develop a Snort signature to
detect this type of malware being as generic as possible, so other similar specimens
could be detected, but avoiding at the same time a high false positives rate signature.

Identify and explain any techniques in the binary that protect it from being analyzed
or reverse engineered.